Solved

Unable to hunt down the user/process that failes to authenticate on DC

  • 23 May 2023
  • 8 replies
  • 94 views

I monitor for failed authentications on DC’s.

labels: Authentication | Fail | Kerberos | User

My top failed authentications is on one client/one account that I can’t hunt down. I have looked at all process’es and their “credential’s” + installed sysmon on the client. But I can’t find the process or user. Any ideas how I could hunt this down?

icon

Best answer by Gustav Elkjær Rødsgaard 30 May 2023, 09:40

View original

8 replies

Userlevel 3
Badge +3

Hi Henrik,

I am unsure i understand your question properly. What do you mean excatly when you say you can’t hunt down the account?

Best Regards,
Gustav

I mean that I can’t find which process on the target is doing the logons. There is nothing in the security or sysmon eventlog on the target, no scheduled tasks, processes, config files with that account. The failed logins accour once a minute.

Userlevel 3
Badge +3

Hi,

Alirght, that makes more sense.

Can you tell me which event id you get from the failed login events?

Best Regards,
Gustav

event_id=4771

Userlevel 3
Badge +3

Hi Henrik,

In the user_id field there should be a SID. Can try mappin the SID to the user?
 

also you can see the reason for failing from the status_code to the error message as seen in the tabel on this link: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4771

Best Regards,
Gustav

Hi!

SID is mapped to a valid user account in AD, 0x18 is the the status_code. 

 

Userlevel 3
Badge +3

Hi Henrik,

Could it be a Service Account generating failed logins because of a password change?

https://backstage.forgerock.com/knowledge/kb/article/a62965844

0x18 Pre-authentication information was invalid Usually means bad password

 

Best Regards
Gustav

 

Thank you for you answers!

Reply